nexus | 0c78489423101d08e47d67ab467a45edacf84ea46ef1f7c0370084dc7a956867

Resubmissions

08/04/2024, 12:28

240408-pnlb2acd6t 10

08/03/2024, 09:07

240308-k3bc6abc69 10

23/03/2023, 01:50

230323-b89y8scg82 10

Analysis

max time kernel
298s
max time network
312s
platform
android_x64
resource
android-x64-20240221-en
resource tags

androidarch:x64arch:x86image:android-x64-20240221-enlocale:en-usos:android-10-x64system
submitted
08/04/2024, 12:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

376d13affcbfc5d5358d39aba16b814f711f2e81632059a4bce5af060e038ea4.apk
Size

4.6MB
MD5

d4c6871dbd078685cb138a499113d280
SHA1

60b64c8481f9de5b92634efc70a9ff42f451c78f
SHA256

376d13affcbfc5d5358d39aba16b814f711f2e81632059a4bce5af060e038ea4
SHA512

e8823b7c73140af88ad6fd8c52a6619d245281170ddb31feb9d4e726ee47a8f34575f687048947272fabfb13dbed2c24f50d6fbd6117d40c1db577305955af59
SSDEEP

98304:M0C+HR25SOeU0lhoBenZFOw2QxW74PNTcG/bZ7vf0sc:jCmtO/07oEOw2QU74PNT9/t7nc

Score

10^/10

nexus banker collection discovery evasion infostealer persistence trojan

Malware Config

Extracted

Family

nexus

http://193.42.32.84/

http://193.42.32.87/

Signatures

Nexus
Nexus is an Android banking trojan related to the SOVA banking trojan.
banker trojan infostealer nexus

Makes use of the framework's Accessibility service 2 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion

Input Injection

T1516

Screen Capture

T1513

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.help.marine
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.help.marine

Checks CPU information 2 TTPs 1 IoCs

Checks CPU information which indicate if the system is an emulator.

evasion discovery

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.help.marine

Checks memory information 2 TTPs 1 IoCs

Checks memory information which indicate if the system is an emulator.

evasion discovery

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.help.marine

Loads dropped Dex/Jar 1 TTPs 1 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.help.marine/app_DynamicOptDex/nx.json	5091	com.help.marine

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.help.marine

Queries account information for other applications stored on the device. 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect account information stored on the device.

collection

Stored Application Data

T1409

description	ioc	Process
Framework service call	android.accounts.IAccountManager.getAccounts	com.help.marine

Reads the contacts stored on the device. 1 TTPs 1 IoCs

collection

Contact List

T1636.003

description	ioc	Process
URI accessed for read	content://com.android.contacts/contacts	com.help.marine

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.help.marine

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ip-api.com

com.help.marine
1⤵
- Makes use of the framework's Accessibility service
- Checks CPU information
- Checks memory information
- Loads dropped Dex/Jar
- Makes use of the framework's foreground persistence service
- Queries account information for other applications stored on the device.
- Reads the contacts stored on the device.
- Acquires the wake lock
PID:5091

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Discovery

System Information Discovery

T1426

Lateral Movement

Collection

Protected User Data

T1636

Contact List

T1636.003

Screen Capture

T1513

Stored Application Data

T1409

Command and Control

Exfiltration

Impact

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.help.marine/app_DynamicOptDex/nx.json

Filesize
2.2MB

MD5
cf9772416a747ac509ec2970cb9c9e74

SHA1
128bcf36307203dbb198d45c3560f30cd63bbd8d

SHA256
6e9478358dbfbefe00e28c9bf85255a8706873479cf8f0746a2246bbbab03c04

SHA512
9f0789d68ba6143d289a066db215a06b64adafa7967bd6915516f12ee416a02cb70bb52dc6cef945ed8965640e8d969093b33c2ce0fc35c480b9cfc57c8da014

Download Submit
/data/data/com.help.marine/app_DynamicOptDex/nx.json

Filesize
2.2MB

MD5
dd644c0a66a11feb4a0d086916d77d42

SHA1
06c009c8e0e9258ab46348573a8023ba2a17086d

SHA256
12d162274020d3a09c7921c34ab8461a1a2a562667feb79f4ab222813b7e6b43

SHA512
f8978a8486d094b33024c0c4d40dd1eca425ab66ed6fe6423e176cb5edb2e38007410b47010c3e3f5edf6a3229f8ef4e61bbb991bd213d52ca8afc49492b4ddc

Download Submit
/data/data/com.help.marine/app_DynamicOptDex/oat/nx.json.cur.prof

Filesize
3KB

MD5
135bb70f918b5ccc6e851ff9b34196ac

SHA1
0f9245370eb02f50075e8e4d567c6fb409b3baea

SHA256
ffeb085898f521515e6862e17e4fe34b95d058b9611b3cf745f086e1760bba6e

SHA512
6dc833918ad77fcab0ff121bdb219a5f6edc9f865c75ea700f9e76a8c46ed631c268bcb2342126090c5f103c85011e69368eb3f8369c2894697ce7252b58d43d

Download Submit
/data/data/com.help.marine/app_DynamicOptDex/oat/nx.json.cur.prof

Filesize
3KB

MD5
0a78a2ba223c91db77c74041568d4b67

SHA1
e99cdc25b69306d3cb758587fb775e8f482c617a

SHA256
07fa6936ee3a63299c25d95e8d231c34454e12a55b757561eeb5496efa6fc69d

SHA512
53a1d6a1e60711ab028c11c562b098b1f8629e7b4c151868916c5ab4090b523a6942f29e257c6aabf8a67e88ab2eb587d44887a8efa551255b8055a99079f565

Download Submit
/data/data/com.help.marine/app_DynamicOptDex/oat/nx.json.cur.prof

Filesize
3KB

MD5
7353ec65b41da4a9ad55c30645052ac2

SHA1
7cb05339c1f74481b16dc7c500c1afa8db40504b

SHA256
c5b605f1c80d5aec415da4bd5e215a5b8509a30595810c1dfc456742e03225df

SHA512
69a429c89404aa63f12a1c40e400b9b1a8a0cd8d7b8247d051bac6a05d2bbadc292b50c109230293497900833e820357ece5c6387cd0b830b03cb9f088e3b9c5

Download Submit
/data/data/com.help.marine/app_DynamicOptDex/oat/nx.json.cur.prof

Filesize
3KB

MD5
1d8a2cb556be6d9bd0405fb7bb6a7b5a

SHA1
6b560d58a1da8d50d2ea6bad21859cf9da48d4ef

SHA256
eec6ffa9fcc6b4aeccd827ade69d79ae3638109568121cab548416a2e3a37a94

SHA512
665dcbf7709d2090dbdeb55675acc5562ddd2b4605adbca4e87950b9194a746880884ae77696d26115ba49e6ff11ee5987a011e141b1e79ed5edb2e640ed1c3b

Download Submit
/data/data/com.help.marine/no_backup/androidx.work.workdb

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/com.help.marine/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
68c356e522b70c6793e156d38bf419f6

SHA1
b34f4f79638873d8cd616e2483a8b58852a218ac

SHA256
629351d3b8e451abe95a6df4c1627204738e1be872c61ecd1d0183950b8f5177

SHA512
f1ee9e48723b01d9c4f126e2477f3cb55a5e6e67956c3661805a839de998c02f2ea7d12e52855195b34e4d91e2a8a391cccf9b22394f73df546bfc6008c369f5

Download Submit
/data/data/com.help.marine/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/com.help.marine/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
3e0088f686cea884da433aab30748e91

SHA1
4094a6ea62a189cf14e27be62607512e0c11766f

SHA256
77d1b222f5fbe59f67a18356bc0985de0dc8632e2982acf4d528915f09a5b5d1

SHA512
2a5c83db2a2a835ed516de6399a0bd4a93117c444dfffbf9a518387431a967f9bd0ed87c14794ba10188adcb9a9da137e922ea9a0cd43afa52670ba949ea472e

Download Submit
/data/data/com.help.marine/no_backup/androidx.work.workdb-wal

Filesize
108KB

MD5
a4a9ba8f54cff90361c90bf09a4653cc

SHA1
fd6591798a57b46dc6a7876b15b5326449a3397b

SHA256
5c8105419aebc9a85002ec24197aac515e8526664e26637efdfe7ddb8dd97b28

SHA512
fd234eb728d6b46dc6467a566c41cd8471599e367d86bec97c4a833af4a9c4aefb08eb6837055351a0cdaa91008ce686aff5967bed04ab6fa16ab2d0e5bc07cf

Download Submit
/data/data/com.help.marine/no_backup/androidx.work.workdb-wal

Filesize
229KB

MD5
2fbf450e223c6d8bf98a8ccd917e284a

SHA1
15bf93b4057544873e0d2b280f0c4f53182c7a10

SHA256
349268cea2426a0e711d31e576d40cb828dc53f2fe1c982d84c90676df8576c5

SHA512
fba34b5253e9dc7bf0ee8561ebe6f8a58cb8ed28c0b17c814e5017bfa1a802d7cb0a225907a4dd6453953cc1deb110b379abd02e5da2d91879d4e606dbfeb04f

Download Submit
/data/user/0/com.help.marine/app_DynamicOptDex/nx.json

Filesize
6.1MB

MD5
781a5fd150ae010085b1e7ff4501a0f4

SHA1
bfbe600cec76f9f00f02a6f0eca5f4bbd5eb1e71

SHA256
9ae5523ea2a7080ac97ef5443bf4b781f775c67fefaec687e58b5b983caf3146

SHA512
d5dafba7a47802f4312d03557c428e4834d1ca02f0e49f60bb59873ca674deb7be340cb6d0a714295c29894746512869d480da21ab3862eeb27fee9265a98bde

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads